From the U.S. Government Accountability Office, www.gao.gov Transcript for: Weapons Systems Cybersecurity Description: As Department of Defense weapon systems become more reliant on digital networking, how do they plan for cyber threats? Related GAO Work: GAO-19-128: Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities Released: October 2018 [Background Music] [Cristina Chaplain:] It looks grim unless they really see this as a wake-up call and they start taking actions in a serious manner. [Matt Oldham:] Welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. I'm Matt Oldham. The Department of Defense plans to spend around $1.66 trillion on its portfolio of major weapons systems. This includes weapons that are becoming more and more connected to digital networks or reliant on automation. But as the technology advances, so does the threat posed by cyber-attacks. I'm with Cristina Chaplain, a director on our Contracting and National Security Acquisitions team, and she lead a GAO report that reviewed the state of cybersecurity for DOD's weapon systems. Thanks for joining me, Cristina. [Cristina Chaplain:] Thank you. Good to be here. [Matt Oldham:] So, how vulnerable are DOD's weapons systems to hacking? Could someone take control of a U.S. military drone and attack us with our own weapons? [Cristina Chaplain:] Well, we looked at the systems in development as opposed that those are the ones that are out there on the battlefield, but as far as the ones in development, DOD's own testing shows that they could be pretty easily hacked and there's basic issues going on, such as poor password management, things like that, so there's definitely some challenges we're discovering as systems are in development. If it were a fielded system, chances are, hopefully, that these problems were discovered in testing and fixed. It's not a guarantee, but definitely shows that there are some things to be worried about. [Matt Oldham:] So, what is the Department of Defense doing to defend its resources and equipment from cyber-attacks? [Cristina Chaplain:] Actually, until recently, DOD was not prioritizing cyber to the extent it should in the development process. But it has begun to grasp the magnitude of the problem and taken an array of actions. On one side, it's conducting classified assessments of systems to see where the vulnerabilities are individually, as well as across systems. And then on the other side, they've instituted and revised a lot of policies and procedures that make sure cyber is a focus all throughout the acquisition process. So, when you're making trades during the requirements process, it's going to be a focus. When you're prototyping, it's going to be a focus. And when you're testing. And whether or not these measures are going to do the trick, it's too soon to tell at this point. [Matt Oldham:] As the department of defense addresses these cyber issues, what are some of the things they've had to contend with? [Cristina Chaplain:] Well, the systems themselves over the past decade or so, DOD has really been emphasizing networking them and bringing them together, which increases the span of their challenge in terms of cyber and addressing things like making software patches can be tremendously more complicated in that environment. Also, the threat to DOD systems is growing and as it is for all kinds of systems, you know, business-wise and home-wise. There's also a culture right now at DOD where we feel like the extent of this problem really isn't appreciated at the program level. So DOD has got a lot of work ahead of it to overcome some cultural issues and also finding the right people to address cyber. That's a challenge everywhere right now, on the business side as well as the government side and it's not going to be any different for DOD to find good people. And then there's information sharing challenges. Sometimes if there's a vulnerability, it might be classified and not everybody on a program knows about it, so sharing what's out there and what to do about it can be difficult. [ Background Music ] [Matt Oldham:] So, it sounds like because not all weapons programs have been tested for cyber defense, it's likely the Department of Defense is only aware of some threats. And this would mean there's still work to be done. So, Cristina, how does it look for DOD going forward? [Cristina Chaplain:] It looks grim unless they really see this as a wake-up call and they start taking actions in a serious manner. I think what's happened now is that leadership recognizes there's a problem, they've put good things in place, but the key is to sustain that attention going forward. This is just the beginning of an effort that's going to be very, very long-term. Also, I think one thing to realize in going forward, it may not be all big money needed to fix these problems. There's basic cyber hygiene, things like password management, that--those can be fixed pretty easily with just cultural changes. [Matt Oldham:] So, lastly, what do you believe is the bottom line of your report? [Cristina Chaplain:] People look at weapons and think they're automatically very different than their own home computers or the business networks that we see getting attacked every day, but they're not so different in their makeup. They have the same components computer-wise that can be attacked. The key is to really focus on that from the very beginning to give yourself a good chance of being able to withstand attacks or to deal with them as they occur. And until recently that wasn't being done, the kind of focus really early in the development process, but DOD has recognized that, they're taking actions. It's a good start, but really needs to be sustained attention going forward. [Matt Oldham:] Cristina Chaplain is a Contracting and National Security Acquisitions director and she was talking about a GAO report on the Department of Defense weapons systems cybersecurity. Thank you for your time, Cristina. [Cristina Chaplain:] Thank you. [ Background Music ] [ Matt Oldham: ] And thank you for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts. [ Background Music ] [ Matt Oldham: ] For more from the congressional watchdog, the U.S. Government Accountability Office, visit us at gao.gov.